samba - Nov 2022 - samba crashes windows explorer (while trying to view file permissions)

Hi!

I've created a new Samba-based AD DC, using samba-tool domain provision,
and joined a windows machine to it.  It works fairy well.

However, there's an interesting thing about it.

When trying to view the Permissions tab of a file in a random share
from within windows explorer (in the file properties dialog), the
explorer crashes.  It looks like it is trying to convert SIDs
returned by samba to a text form, - because first it shows the
numeric SIDs in the list for a brief moment, before crashing.
On another domain, this works, and I see it displays numeric SIDs
first and converts them into names (like UNIX group foo etc)
second.  On this newly created domain, it looks like this
conversion causes explorer to crash (and it crashes completely,
so that the "instance" which shows desktop is restarted too).

At the same time, samba logs shows this:

[2022/11/19 14:25:53.990119,  0]
../../source4/auth/unix_token.c:109(security_token_to_unix_token)
   Unable to convert second SID (S-1-5-21-540662649-332824406-1706519170-513) in
user token to a GID.  Conversion was returned as type 0, full token:
[2022/11/19 14:25:53.990225,  0]
../../libcli/security/security_token.c:51(security_token_debug)
   Security token SIDs (10):
     SID[  0]: S-1-5-21-540662649-332824406-1706519170-1103
     SID[  1]: S-1-5-21-540662649-332824406-1706519170-513
     SID[  2]: S-1-5-21-540662649-332824406-1706519170-512
     SID[  3]: S-1-5-21-540662649-332824406-1706519170-572
     SID[  4]: S-1-1-0
     SID[  5]: S-1-5-2
     SID[  6]: S-1-5-11
     SID[  7]: S-1-5-32-545
     SID[  8]: S-1-5-32-544
     SID[  9]: S-1-5-32-554
    Privileges (0x        1FFFFF00):
     Privilege[  0]: SeTakeOwnershipPrivilege
     Privilege[  1]: SeBackupPrivilege
     Privilege[  2]: SeRestorePrivilege
     Privilege[  3]: SeRemoteShutdownPrivilege
     Privilege[  4]: SeSecurityPrivilege
     Privilege[  5]: SeSystemtimePrivilege
     Privilege[  6]: SeShutdownPrivilege
     Privilege[  7]: SeDebugPrivilege
     Privilege[  8]: SeSystemEnvironmentPrivilege
     Privilege[  9]: SeSystemProfilePrivilege
     Privilege[ 10]: SeProfileSingleProcessPrivilege
     Privilege[ 11]: SeIncreaseBasePriorityPrivilege
     Privilege[ 12]: SeLoadDriverPrivilege
     Privilege[ 13]: SeCreatePagefilePrivilege
     Privilege[ 14]: SeIncreaseQuotaPrivilege
     Privilege[ 15]: SeChangeNotifyPrivilege
     Privilege[ 16]: SeUndockPrivilege
     Privilege[ 17]: SeManageVolumePrivilege
     Privilege[ 18]: SeImpersonatePrivilege
     Privilege[ 19]: SeCreateGlobalPrivilege
     Privilege[ 20]: SeEnableDelegationPrivilege
    Rights (0x             403):
     Right[  0]: SeInteractiveLogonRight
     Right[  1]: SeNetworkLogonRight
     Right[  2]: SeRemoteInteractiveLogonRight


This is happening on the DC itself, there's no other
machines in this domain yet, - just the DC and a test
machine with Windows 10 LTSC (1809) joined to it.

I don't know where these SIDs are coming from (-512, -513, -572).

What to do next to debug and fix this?

Thanks,

/mjt

19.11.2022 14:36, Michael Tokarev via samba ?????:
> Unable to convert second SID (S-1-5-21-540662649-332824406-1706519170-513)
in user token to a GID. Conversion was returned as type 0, full token:
I found this:

https://www.spinics.net/lists/samba/msg174381.html

which shows an issue with idmap.ldb.

But in my case this is a fresh domain, created with nothing in /var/lib/samba/,
so I can't restore idmap.ldb from a backup, - because this file has just
been
created (and no, I didn't try to replicate it to another DC yet, to fix the
uid/gid mismatches there as has been mentioned in another thread).

 From tdbdump /var/lib/samba/private/idmap.ldb:

{
key(50) = "DN=CN=S-1-5-21-540662649-332824406-1706519170-513\00"
data(231) = 
"g\19\01&\05\00\00\00CN=S-1-5-21-540662649-332824406-1706519170-513\00cn\00\01\00\00\00+\00\00\00S-1-5-21-540662649-332824406-1706519170-513\00objectClass\00\01\00\00\00\06\00\00\00sidMap\00objectSid\00\01\00\00\00\1C\00\00\00\01\05\00\00\00\00\00\05\15\00\00\00y\DB9
V\7F\D6\13\82j\B7e\01\02\00\00\00type\00\01\00\00\00\0B\00\00\00ID_TYPE_GID\00xidNumber\00\01\00\00\00\03\00\00\00100\00"
}

- which - I think - should match, no?

Thanks,

/mjt

...

So, this boils down to, so far:

This (problematic, fresh) domain:

# wbinfo -s S-1-5-21-880456541-1649917288-23935232-513
PZ\Domain Users 2
# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-880456541-1649917288-23935232-513 to gid

On another, working, domain:

# wbinfo -s S-1-5-21-411424318-379842365-2075518510-513
TLS\Domain Users 2
# wbinfo -Y S-1-5-21-411424318-379842365-2075518510-513
100

idmap.ldb seems to be having similar information (besides
the domain sid ofcourse)


and now.. after quite some time, without me doing anything,
it shows (on the bad domain):

# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-513
3004

I think this comes from my attempts to add something in
there:

#       idmap config * : backend = tdb
#       idmap config * : range = 3000-3099

which I commented out quite some time ago. Or not - I recreated
the domain with these commented out, so it is again unclear
where it got the 3000 number from.

But still (different id, 512 instead of 513):

# wbinfo -Y S-1-5-21-880456541-1649917288-23935232-512
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-880456541-1649917288-23935232-512 to gid

What Is Going On?

Does anyone know if this beast *ever* work? This is a
*fresh* domain, just created...

/mjt